Training before The
Black Hat Briefings '01Amsterdam, November 19th
- 20thProviding practical
security of current issues

Class overview and
scheduleClass size will be up to a maximum of
30 people.

Today, more than ever, protecting the IT
resources of a company against security threats is of vital importance.
In order to do this, your company‚s professionals need to be capable of
guarding your company‚s resources. Black Hat Training is designed
to raise these professionals‚ competence level in Internet security to
a whole new level.

The
Trainers

The trainers for these sessions
are experts in the subject matter they are teaching and are fully active
in the computer security arena. Some of the speakers you won't find
anywhere else. They are taking some time out of their heavily occupied
life in order to lead training for Black Hat. Here, they want to
share new and interesting security information on cutting-edge topics.
Get to know the tools and techniques applied by hackers. Fight them
with their own means. Those hand-picked security experts will train
you in understanding the real threats and securing your network.

Class size will be up to a maximum of 30
people. Lunch and two coffee breaks will be provided.

Offerings (Track
'A' and 'B')

Two days before the Black
Hat Briefings 2001 Amsterdam, Black Hat, Inc. is proud to present in-depth-training
in three parallel tracks.

The Internet Control Message (ICMP) Protocol
may seem harmless at first glance. In terms of security, ICMP is one of
the most controversial protocols in the TCP/IP protocol suite.This workshop will be an in depth theoretical
and hands on experience with the ICMP protocol, and its usage in Scanning.

We will start by explaining the protocol‚s
basics and characteristics. We will explain the circumstances in which
each ICMP message is being generated, and with ICMP error messages, what
was the trigger to send those. We will be explaining where and why to expect
to see ICMP messages, and in which segments of your network. We will go
over security hazards (such as D.o.S., Covert Channels and more) with each
ICMP message. This part of the training explains a lot of phenomenon with
TCP/IP networking.

We will explain some basic Host Detection
methods. We will not only concentrate on ICMP query messages, we will also
examine some unique situations where a simple ICMP error message will carry
more than enough information for the malicious computer attacker.

We will cover host-based security methods
and explain why these measures are not enough. Next we will overview methods in which
aim to trigger ICMP error messages back from the probed IP addresses. Some
of these Advanced Host Detection methods will allow us to detect the presence
of a filtering device, and even to learn and understand the ACL scheme
a filtering device is forcing on a protected network. We will also learn
why, in some cases, firewalls fail to understand that values inside the
IP header where mangled. We will have a live demonstration with one of
the leading firewall products in the market today. Methods, which take
advantage of Router functionality, and aid a prober in unique circumstances,
will also be examined.

Active operating system fingerprinting
methods using the ICMP protocol, discovered by the ICMP project, will be
examined and explained. We will examine the methods that allow us to clearly
identify a flavor of an operating system. We will demonstrate methods that
will allow us to fingerprint and differentiate between Linux, Sun Solaris,
Microsoft (all flavors), HPUX, AIX, FreeBSD, Ultrix, and other OSs based
machines. For example, we will demonstrate how we can differentiate between
all the different flavors of Microsoft based operating systems. We will
be using a set of tools to generate the queries and examine the different
behavioral patterns we produce from the servers in the class. We will focus on our ability to combine
everything together, and how this makes the process of operating system
identification and fingerprinting more efficient and simple (even better
than common methods being used in the computer security field today).

We will learn ways to identify the different
methods of active OS fingerprinting using the ICMP protocol with the help
of Snort, a free IDS utility.

The subject of Passive Fingerprinting using
the ICMP protocol will be explained and demonstrated. We will examine the
Microsoft way of implementing the ICMP protocol and how this helps us to
fingerprint all of the Microsoft based operating systems passively. We
will also explain how to build a proper firewall rule base that might handle
most of the methods introduced.

What to bring to training: Students
are encouraged to bring their own laptop, packed with their favorite OS,
sniffing tools, and the telnet client of their choice.

Ofir
Arkin is the Founder of the Sys-Security
Group, a free computer security research body. Ofir is most widely
known for his research about the ICMP protocol usage in scanning. He has
extensive knowledge and experience with many aspects of the Information
Security field including: Cryptography, Firewalls, Intrusion Detection,
OS Security, TCP/IP, Network Security, Internet Security, Networking Devices
Security, Security Assessment, Penetration Testing, E-Commerce, and Information
Warfare. Ofir has worked as consultant for several European finance institutes
where he played the rule of Senior Security Analyst, and Chief Security
Architect in major projects. Ofir has published several papers, the newest
deal with „Passive Fingerprinting techniquesš and with the „ICMP protocol
usage In Scanningš.

JD Glaser

NT Network Intrusion
Workshop

This NT Network Intrusion workshop will
put the student in control of network intrusion traffic analysis. It will
focus on NT specific protocols and attack patterns. The course will consist
of two parts.

The afternoon session will be an intensive
hands on traffic analysis workshop in which the students will directly
apply what they have learned from the morning session. Activities will
include establishing baseline patterns and intrusion packet identification
using the students own tools. (Software tools will be provided for students
without)

Several current attack patterns will be
mixed into a live network and the student must correctly identify the attack
activity. The emphasis will be to learn how to react to the shortcomings
of IDS systems, or to new attacks that IDS aren't aware of. Students should
bring their own laptop / network card running NT or Unix/Linux to obtain
the best hands on experience.

What to bring for this training:
A laptop with a 10/100 MB ethernet network card running Windows NT or Windows
2000. Everyone will have something to work with.

What will be provided: A CD with
several opensource win32/linux sniffers to use in class - TCPDump, NGrep,
Analyzer and Ethereal

New: Updated slides will cover settings
for just about every sniffer - NetMon, SnifferPro, TCPDump, NGrep, Analyzer
and Ethereal

Halvar Flake

Auditing
Binaries for Security Vulnerabilities

This workshop would give the audience a
good overview over the process of manually auditing binaries for security
vulnerabilities. The theoretical part will take up most of the morning
and cover thefollowing topics:

1) Common
C/C++ Programming mistakes and how they look when compiled 2) Using
IDA Pro 3) Spotting
suspicious constructs in the binary 4) Threat
evaluation on suspicious programming constructs

The afternoon will be the hands-on part.
The students will be provided with several known-to-be vulnerable binaries
(both real-life products and constructed examples) and are encouraged to
work either in teams or on their own trying to spot the vulnerabilities.
This part of the day is supposed to both help the students get familiar
with the usage of IDA Pro and to be able to ask question that will arise
during the process of actually analyzing executables. Furthermore,
it will give the students a good impression on the amount of frustration
involved with auditing closed-source programs.

What to bring to training: Students
are encouraged to bring their own laptop running 9x/ME/NT/2k and their
own copies of IDA Pro (http://www.datarescue.com).
For the work- shop itself the evaluation version if IDA Pro will be used.
Furthermore, a decent knowledge of C programming and a passing knowledge
of x86 assembly is needed in order to get anything out of this workshop.

Foundstone

Ultimate
Hacking - Black Hat Edition

Foundstone presents a special 2 day edition
of Ultimate Hacking for the Black Hat Briefings and Training for the Amsterdam
Black Hat.

Security vulnerabilities are an unfortunate,
but unavoidable, part of today's computing systems. If exploited by internal
or external users, these weaknesses can be catastrophic to your organization.
Ultimate Hacking participants learn step-by-step procedures for executing
Internet, intranet, and host-level security reviews through classroom presentations
and hands-on lab exercises. This course is the definitive training for
learning how to perform "tiger team" and attack and penetration assessments.

Foundstone instructors cover all the bases,
presenting manual and scripted security-review techniques that go far beyond
what automated analysis tools can do. Equally important, the classroom
lab provides a way for participants to take that abstract information and
apply it in a hands-on environment. You return to your organization with
valuable knowledge and experience.

What Is Taught? Because security
is an ever-changing battlefield, we continually update Ultimate Hacking
to reflect the latest network vulnerabilities and defenses, from Windows
NT and Unix hosts to routers and firewalls. Instructors illustrate each
technology's default security posture, common installation weaknesses,
methods hackers use to circumvent "secure" settings, and countermeasures
for each vulnerability.

Classroom instruction is just the beginning
though. The most effective way to gain security skills is to practice them,
and Ultimate Hacking participants have a full computer lab at their disposal
to do just that.

Foundstone instructors walk you through
footprinting an organization's Internet presence (with proper permission!),
then show you how to identify, exploit, and secure well-known and little-known
vulnerabilities in Windows NT, Windows 2000, and Unix systems.

Participants also explore common weaknesses
in router and firewall installations, learning ways to circumvent both
traditional and "hardened" security filters or firewalls. The course's
final exercise assimilates the multi-day instruction. In it, participants
assess and attempt to exploit a simulated "secure" network with multiple
OSes and security mechanisms.

Why Do We Teach This? In order
to secure and monitor your network, you need to know its weak points. Traditional
security assessments, performed by accounting firms or "boutiques," can
yield valuable data. Too often though, assessments lack a structure for
transferring information to those in your organization who can make the
most of it. The hands-on Ultimate Hacking course provides participants
with both the knowledge and experience to perform ongoing security assessments
themselves.

Who Should Attend? System and network
administrators, security personnel, auditors, and consultants concerned
with network and system security. Basic Unix and Windows NT competency
is required for the course to be fully beneficial.

Course Length: 2 days, 30 students, Cost: US $2,500

Includes an individual dual-boot Windows
NT/Linux laptop for use during the course, use of the lab network and computers,
class handouts, and a CD-ROM with course tools and scripts. Breakfast and
an afternoon snack are provided.

Rooster

Complete Windows
2000 Security

A comprehensive one-day course, Complete
Windows 2000 Security takes you through end-to-end process of securing
your Windows 2000 network. Many people spend a tremendous amount of time
locking down their systems, but this is really only part of the security
process. A complete process is made up of three steps: Creating a
security policy, implementing the security policy, and then auditing that
policy.

This course will focus on Windows 2000
as a host, working on the Local Security policy, registry settings and
other hardening techniques to get everything you can out of your Windows
2000 server. The second half focuses on the domain level with Active
Directory. Concepts such as authentication, group policy, IPSec,
and others will be covered here.

Creating a Security Policy: The class
structure will partly be defined by the class. We will decide together
what kind of a policy we want to define as an organization. An example
policy will be provided but we will only be using that as a skeleton for
when we define our own.

Implementing the Security Policy:
Here we will actually dig our hands into what Windows 2000 has to offer.
Using the latest techniques and the cutting edge Microsoft technology we
will push that policy first on the machine, then the domain.

Auditing the Security Policy: Once you
have implemented your security policy how can you make sure it is correct?
And, how can you make sure it does what you want it to? That is where
the audit process comes in. Here we will show you techniques that
are used to verify the integrity of the system, including doing external
attack type audits to verify the integrity of your policy.

Students should come prepared with a laptop
running windows 2000 server. Installing the latest version of perl
from http://www.activestate.com,
while not required, will definitely help you get more out of the class.
Getting a good basic understanding of Active Directory will help as well.
We will be covering the basics but only briefly. Using the help files
that come with is a good place to start. The microsoft.com site,
specifically here
has lots of information as well.

Tim Mullen

Secure
Development of Data-Driven Web Applications

Deploying a poorly designed web application
can be like propping open the Front Door into your network infrastructure.
The vulnerabilities introduced by these design flaws can be exploited with
different techniques of SQL injection, URL manipulation, error/debug code
analysis, and other insidious methods.

Since detection of these attack modes can
be difficult (or sometimes impossible when made over secure channels),
it not only important to learn how these attacks are structured; one must
learn how to build an application whose very structure mitigates the impact
these techniques can have.

In contrast to many Blackhat sessions flavored
toward the "exploit" side of things, this session will concentrate on the
techniques and methods used to protect your network from these types of
vulnerabilities, and "best practices" to follow when developing your data-driven
applications.

With content specific to Microsoft IIS5
and SQL2000 utilizing ASP and ADODB, this course will provide an overview
of a typical application's lifespan from the design and planning stage,
through to its production and deployment.

The course will be broken into two main
areas of study: Development and Implementation.

What to bring to training:
Students should bring their own network-ready laptops preferably running
NT or Win2k with CDRom drive and an open mind. A CD will be provided
with reference material, sample code, and utilities.

Timothy Mullen is CIO and Chief Software
architect for AnchorIS.Com, a developer of secure enterprise-based accounting
solutions. Mullen is also a columnist for Security Focus' Microsoft
Focus section, and a regular contributor of InFocus technical articles.
A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

How many people can attend?

Due to the experimental nature
of these training sessions and the desire to create a hands-on environment
with optimal interaction/communication between trainer and student, only
the first 30 people will be accepted for each track.

What do I need to know?

Since this training is targeted
toward a more advanced audience, students are expected to be familiar with
all security basics and technologies, concepts of firewalls, and routing.
Basic system administration skills for Unix or Windows NT are expected.
If, on the other hand, you know your way around a Unix box, have dealt
with Windows NT at a functioning administrative level, wrote and de-bugged
your own or others‚ scripts, this training may be for you!

What do I need to bring?

Because of the technical nature
of this training, students are required to supply their own hardware.
Laptops are the first choice, but if you want to bring a desktop that is
also acceptable. Laptop requirements will be dictated by which tracks
you will be attending. Please see the requirements of each training
session when setting up your laptop. The machines should be set up
for a 10Mbit ethernet 10BaseT network. See the class section to get
an understanding of what types of tools you should have already installed.

Location

The Black Hat Training will take place
at the Hotel Krasnapolsky in Amsterdam. Please
visit this hotel information page
for room rates and hotel specifics.

Costs are $750 US for each day of training,
meals, and materials.Costs are $2,500 US for the two day Foundstone
Ultimate Hacking course.